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CLAIMS 



What is claimed is: 



1. 



An apparatus comprising: 



a key generator to generate an operating system nub key (OSNK) unique to an 
operating system (OS) nub, the OS nub being part of an operating system running on a 
secure platform; and 

a usage protector coupled to the key generator to protect usage of a subset of a 
software environment using the OSNK. 

2. The apparatus of claim 1 wherein the key generator comprises: 

a combiner to combine an identification of the OS nub and a master binding key 
(BKO) of the secure platform, the combined identification and the BKO corresponding 
to the OSNK. 

3. The apparatus of claim 2 wherein the identification is a hash value of 
one of the OS nub and a certificate representing the OS nub. 

4. The apparatus of claim 1 wherein the usage protector comprises: 

an encryptor to encrypt the subset of the software environment using the OSNK, 
the encrypted subset being stored in a storage; and 

a decryptor to decrypt the encrypted subset using the OSNK, the encrypted 
subset being retrieved from the storage. 

5. The apparatus of claim 1 wherein the usage protector comprises: 
an encryptor to encrypt a first hash value of the subset of the software 

environment using the OSNK, the encrypted first hash value being stored in a storage; 

a decryptor to decrypt the encrypted first hash value using the OSNK, the 
encrypted first hash value being retrieved from the storage; and 

a comparator to compare the decrypted first hash value to a second hash value 
to generate a compared result, the compared result indicating whether the subset of the 
software environment has been modified. 
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1 6. The apparatus of claim 1 wherein the usage protector comprises: 

2 a first encryptor to encrypt a first hash value of the subset of the software 

3 environment using the OSNK, the encrypted first hash value being stored in a storage; 

4 a second encryptor to encrypt a second hash value using the OSNK; and 

5 a comparator to compare the encrypted second hash value to the encrypted first 

6 hash value to generate a compared result, the encrypted first hash value being retrieved 

7 from the storage, the compared result indicating whether the subset of the software 

8 environment has been modified. 

1 7. The apparatus of claim 1 wherein the usage protector comprises: 

2 a decryptor to decrypt a protected private key to generate a private key using the 
O 3 OSNK; 

m 4 a signature generator coupled to the decryptor to generate a signature of the 

2 5 subset of the software environment using the private key, the signature being stored in a 

Pj 

m 6 storage; and 

P 7 a signature verifier to verify the signature to generate a modified/not modified 

5 8 flag using a public key, the signature being retrieved from the storage, the modified/not 

Q 

lf % 9 modified flag indicating whether the subset has been modified. 

n I 

FS I! 

S!J 

Q 1 8. The apparatus of claim 1 wherein the usage protector comprises: 

^2 a manifest generator to generate a manifest of the subset of the software 

3 environment, the manifest describing the subset of the software environment, the 

4 manifest being stored in a storage; 

5 a signature generator coupled to the manifest generator to generate a manifest 

6 signature using a private key, the private key being decrypted by a decryptor using the 

7 OSNK, the manifest signature being stored in the storage; 

8 a signature verifier to verify the manifest signature to generate a signature 

9 verified flag using a public key, the manifest signature being retrieved from the storage; 

10 and 

11 a manifest verifier to verify the manifest to generate a manifest verified flag, the 

12 manifest being retrieved from the storage, the manifest verified flag and the signature 

13 verified flag being tested at a test center, the test center generating a pass/fail signal to 

14 indicate whether the subset has been modified. 
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9. The apparatus of claim 1 wherein the secure platform uses an isolated 
execution mode. 

10. The apparatus of claim 1 wherein the software environment is one of a 
Windows operating system, a Windows 95 operating system, a Windows 98 operating 
system, a Windows NT operating system, and a Windows 2000 operating system. 

1 1 . The apparatus of claim 1 wherein the subset of the software environment 
is a registry of an operating system. 

12. The apparatus of claim 2 wherein the BKO is generated at random on a 
first invocation of a processor nub. 

13. A method comprising: 

generating an operating system nub key (OSNK) unique to an operating system 
(OS) nub, the OS nub being part of an operating system running on a secure platform; 
and 

protecting usage of a subset of the software environment using the OSNK. 

14. The method of claim 1 1 wherein generating the OSNK comprises: 
combining an identification of the OS nub and a master binding key (BKO) of 

the secure platform, the combined identification and the BKO corresponding to the 
OSNK. 

15. The method of claim 14 wherein the identification is a hash value of one 
of the OS nub and a certificate representing the OS nub. 

16. The method of claim 1 3 wherein protecting usage comprises: 
encrypting the subset of the software environment using the OSNK; 
storing the encrypted subset in a storage; and 

decrypting the encrypted subset from the storage using the OSNK. 
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17. The method of claim 13 wherein protecting usage comprises: 
encrypting a first hash value of the subset of the software environment using the 

OSNK, the encrypted first hash value being stored in a storage; 

decrypting the encrypted first hash value of the subset of the software 
environment using the OSNK, the encrypted first hash value being retrieved from the 
storage; and 

comparing the decrypted first hash value to a second hash value to generate a 
compared result, the decrypted first hash value being retrieved from the storage, the 
compared result indicating whether the subset of the software environment has been 
modified. 

18. The method of claim 13 wherein protecting usage comprises: 
encrypting a first hash value of the subset of the software environment using the 

OSNK, the encrypted first hash value being stored in a storage; 
encrypting a second hash value using the OSNK; and 

comparing the encrypted first hash value to the encrypted second hash value to 
generate a compared result, the encrypted first hash value being retrieved from the 
storage, the compared result indicating whether the subset of the software environment 
has been modified. 

19. The method of claim 13 wherein protecting usage comprises: 
decrypting a protected private key to generate a private key using the OSNK; 
generating a signature of the subset of the software environment using the 

private key, the signature being stored in a storage; and 

verifying the signature to generate a modified/not modified flag using a public 
key, the signature being retrieved from the storage, the modified/not modified flag 
indicating whether the subset of the software environment has been modified. 

20. The method of claim 13 wherein detecting comprises: 

generating a manifest of the subset of the software environment, the manifest 
describing the subset of the software environment, the manifest being stored in a 
storage; 
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generating a manifest signature of the manifest using a private key, the private 
key being decrypted using the OSNK, the manifest signature being stored in the 
storage; 

verifying the manifest signature to generate a signature verified flag using a 
public key, the manifest signature being retrieved from the storage; and 

verifying the manifest to generate a manifest verified flag, the manifest being 
retrieved from the storage, the manifest verified flag and the signature verified flag 
being tested at a test center, the test center generating a pass/fail signal, the pass/fail 
signal indicating whether the subset of the software environment has been modified. 

21 . The method of claim 13 wherein the secure platform uses an isolated 
execution mode. 

22. The method of claim 13 wherein the software environment is one of a 
Windows operating system, a Windows 95 operating system, a Windows 98 operating 
system, a Windows NT operating system, and a Windows 2000 operating system. 

23. The method of claim 13 wherein the subset of the software environment 
is a registry of the operating system. 

24. The method of claim 14, wherein the BKO is generated at random on a 
first invocation of a processor nub. 

25. A computer program product comprising: 

a computer usable medium having computer program code embodied therein, 
the computer program product having: 

computer readable program code for generating an operating system nub key 
(OSNK) unique to an operating system (OS) nub, the OS nub being part of an operating 
system running on a secure platform; and 

computer readable program code for protecting usage a subset of the software 
environment using the OSNK. 

26. The computer program product of claim 25 wherein the computer 
readable program code for generating the OSNK comprises: 
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computer readable program code for combining an identification of the OS nub 
and a master binding key (BKO) of the secure platform, the combined identification and 
the BKO corresponding to the OSNK. 

27. The computer program product of claim 26 wherein the identification is 
a hash value of one of the OS nub and a certificate representing the OS nub. 

28. The computer program product of claim 25 wherein the computer 
readable program code for protecting usage comprises: 

computer readable program code for encrypting the subset of the software 

environment using the OSNK; 

computer readable program code for storing the encrypted subset; and 
computer readable program code for decrypting the encrypted subset from the 

storage using the OSNK. 

29. The computer program product of claim 25 wherein the computer 
readable program code for protecting usage comprises: 

computer readable program code for encrypting a first hash value of the subset 
of the software environment using the OSNK, the encrypted first hash value being 
stored in a storage; 

computer readable program code for decrypting the encrypted first hash value 
of the subset of the software environment using the OSNK, the encrypted first hash 
value being retrieved from the storage; and 

computer readable program code for comparing the decrypted first hash value to 
a second hash value to generate a compared result, the decrypted first hash value being 
retrieved from the storage, the compared result indicating whether the subset of the 
software environment has been modified. 

30. The computer program product of claim 25 wherein the computer 
readable program code for protecting usage comprises: 

computer readable program code for encrypting a first hash value of the subset 
of the software environment using the OSNK, the encrypted first hash value being 
stored in a storage; 
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computer readable program code for encrypting a second hash value using the 
OSNK; and 

computer readable program code for comparing the encrypted first hash value to 
the encrypted second hash value to generate a compared result, the encrypted first hash 
value being retrieved from the storage, the compared result indicating whether the 
subset of the software environment has been modified. 

31 . The computer program product of claim 25 wherein the computer 
readable program code for protecting usage comprises: 

computer readable program code for decrypting a protected private key to 
generate a private key using the OSNK; 

computer readable program code for generating a signature of the subset of the 
software environment using the private key, the signature being stored in a storage; and 

computer readable program code for verifying the signature to generate a 
modified/not modified flag using a public key, the signature being retrieved from the 
storage, the modified/not modified flag indicating whether the software environment 
has been modified. 

32. The computer program product of claim 25 wherein the computer 
readable program code for protecting usage comprises: 

computer readable program code for generating a manifest of the subset of the 
software environment, the manifest being stored in a storage; 

computer readable program code for generating a manifest signature of the 
manifest using a private key, the private key being decrypted using the OSNK, the 
manifest signature being stored in the storage; 

computer readable program code for verifying the manifest signature to 
generate a signature verified flag using a public key, the manifest signature being 
retrieved from the storage; and 

computer readable program code for verifying the manifest to generate a 
manifest verified flag , the manifest being retrieved from the storage, the manifest 
verified flag and the signature verified flag being tested at a test center, the test center 
generating a pass/fail signal, the pass/fail signal indicating whether the subset of the 
software environment has been modified. 
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33. The computer program product of claim 25 wherein the secure platform 
uses an isolated execution mode. 

34. The computer program product of claim 25 wherein the software 
environment is one of a Windows operating system, a Windows 95 operating system, a 
Windows 98 operating system, a Windows NT operating system, and a Windows 2000 
operating system. 

35. The computer program product of claim 25 wherein the subset of the 
software environment is a registry of an operating system. 

36. The computer program product of claim 26 wherein the BKO is 
generated at random on a first invocation of a processor nub. 

37. A system comprising: 
a processor; 

a storage device coupled to the processor, the storage storing a subset of a 
software environment; and 

a usage protector comprising: 

a key generator to generate an operating system nub key (OSNK) unique to an 
operating system (OS) nub, the operating system nub being part of a software 
environment running on a secure platform; and 

a usage protector coupled to the key generator to protect usage of a subset of the 
software environment using the OSNK. 

38. The system of claim 37 wherein the key generator comprises: 

a combiner to combine an identification of the operating system nub and a 
master binding key (BKO) of the secure platform, the combined identification and BKO 
corresponding to the OSNK. 

39. The system of claim 38 wherein the identification is a hash value of one 
of the OS nub and a certificate representing the OS nub. 
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40. The system of claim 37 wherein the usage protector comprises: 

an encryptor to encrypt the subset of the software environment using the OSNK, 
the encrypted subset being stored in a storage; and 

a decryptor to decrypt the encrypted subset using the OSNK, the encrypted 
subset being retrieved from the storage. 

41 . The system of claim 37 wherein the usage protector comprises: 
an encryptor to encrypt a first hash value of the subset of the software 

environment using the OSNK, the encrypted first hash value being stored in a storage; 

a decryptor to decrypt the encrypted first hash value using the OSNK, the 
encrypted first hash value being retrieved from the storage; and 

a comparator to compare the decrypted first hash value to a second hash value 
to generate a compared result, the compared result indicating whether the subset of the 
software environment has been modified. 

42. The system of claim 37 wherein the usage protector comprises: 

a first encryptor to encrypt a first hash value of the subset of the software 
environment using the OSNK, the encrypted first hash value being stored in a storage; 
a second encryptor to encrypt a second hash value using the OSNK; and 
a comparator to compare the encrypted second hash value to the encrypted first 
hash value to generate a compared result, the encrypted first hash value being retrieved 
from the storage, the compared result indicating whether the subset of the software 
environment has been modified. 

43. The system of claim 37 wherein the usage protector comprises: 

a decryptor to decrypt a protected private key to generate a private key using the 

OSNK; 

a signature generator coupled to the decryptor to generate a signature of the 
subset of the software environment using the private key, the signature being stored in a 
storage; and 

a signature verifier to verify the signature to generate a modified/not modified 
flag using a public key, the signature being retrieved from the storage, the modified/not 
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modified flag indicating whether the subset of the software environment has been 
modified. 

44. The system of claim 37 wherein the usage protector comprises: 
a manifest generator to generate a manifest of the subset of the software 

environment, the manifest describing the subset of the software environment, the 
manifest being stored in a storage; 

a signature generator coupled to the manifest generator to generate a manifest 
signature of the manifest using a private key, the private key being decrypted using the 
OSNK, the manifest signature being stored in the storage; 

a signature verifier to verify the manifest signature to generate a signature 
verified flag using a public key, the manifest signature being retrieved from the storage; 
and 

a manifest verifier to verify the manifest to generate a manifest verified flag, the 
manifest being retrieved from the storage, the manifest verified flag and the signature 
verified flag being tested by a test center, the test center generating a pass/fail signal 
indicating whether the subset has been modified. 

45. The system of claim 37 wherein the secure platform uses an isolated 
execution mode. 

46. The system of claim 37 wherein the software environment is one of a 
Windows operating system, a Windows 95 operating system, a Windows 98 operating 
system, a Windows NT operating system, and a Windows 2000 operating system. 

47. The system of claim 37 wherein the subset of the software environment 
is a registry of an operating system. 

48. The system of claim 38 wherein the BKO is generated at random on a 
first invocation of a processor nub. 
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